Recent observations on compliance

So last time I talked about the "p" word and how we move forward in a meaningful way in talking about policy. I heard from Sun's Robin Wilton who is active with Liberty Alliance and he told me that at a recent working session of the Liberty Alliance a discussion occurred around "drawing the distinction between public (i.e. government) policy as a driver of privacy issues, and enterprise 'business' policy as another influence on the same matters." Good to know that smart people like Robin and the Liberty folks are working to drive much-needed clarity. I look forward to learning more about the work that's underway. I hear Liberty is working on standard legal and policy (did I say the "p" word?) agreements that can act as a baseline agreement for companies wrestling with things like indemnification across federated domains.

A lot of conversations that I am having these days with companies are about implementing technology to help automate compliance processes and make responding to audit requests easier. One company we talked to last year told us a story that at the time seemed hard to believe, but I now see it happening in every public company: this Fortune 100 company had spent 50 man months doing 1 -- ONE! -- audit across their so-called Sarbanes applications (apps with sensitive data on which access must be well controlled). 50 man months checking for separation-of-duty problems across 35 applications. That's 50 man months they were not focused on getting their partner portal launched, updating their ERP system, etc. because they were manually checking for access-control related risks that could lead to bad things happening. It's a common story.

Here are my observations on compliance:

It's happening around the globe. Every country (well, a lot of countries) and a lot of federal governments have Sarbanes-like legislation/regulation out or in the works. As I am out around the world the topic comes up everywhere -- from federal governments across the globe (think HSPD-12) to legislation affecting publicly traded companies (think Sarbanes, HIPPA, BASEL II) there are movements afoot to drive better control and security for consumers, citizens, patients and ultimately shareholders.

It's actually good for us. For years I drove without a seatbelt even though I knew I was better off (safer) by wearing one. It wasn't until the law in my state changed and threatened a fine for non-compliance, that I changed my behavior. Again, even though I knew I was safer if I wore a seat belt, I chose not to. Now, many years later, wearing a seat belt is just part of driving, I don't think about it, I just buckle up. That's how I see a lot of the "compliance" work being done at companies (Sun as well) and federal agencies these days to get better controls in place. We SHOULD be able to see and approve who-has-access-to-what. We SHOULD be able to quickly do forensics by identity if something goes wrong. We SHOULD be able to control access to critical applications so that bad, unintended things do not happen. Our companies are better off as their risk is lowered with good controls in place. As individuals with 401Ks, we are better off as the risk of Enron/WorldCom -- grade failures are lowered. And it's good as this new baseline of control has to be in place for our economy/our businesses to safely face the next wave of growth (think Web 2.0).

In five years we won't talk about it anymore. It will just be how we run our businesses. I look forward to this day. This will be a boon to the printing and marketing industry as every vendor everywhere on the planet will have to revise their collateral to talk about something else. Any predictions on what the new bandwagon will be?


Nice writeup about compliance. Keep it coming.

Posted by guest on March 02, 2006 at 04:41 AM CST #

Good write up... making the reader think about HIPAA, Basel II, etc. First on the 'p' word: Don't you agree that the Privacy initiatives in enterprises are usually the result of public policy/regulation initiatives. Ideally, using the seat belt analogy, I think we would have not had any privacy policies had it not been for regulations demanding enterprises to do so. Its important to note that some mandates are real, while some are voluntary. Ex: Safe Harbor. In either case, a regulation becomes internalized by a corporate as a policy (highlevel 2 lines sort of), and then the implementation of policies demand for suitable technologies/platforms. Secondly, on compliance. Many enterprises fail to realize the efficieny quotients that compliance regs can squeeze out of them. Yes, short term tactical goal is always complying, but since you are investing millions in it, why not go ahead and include that in your long term strategy? I think thats when you will need new collaterals for new products/functions.

Posted by Prasanna on March 08, 2006 at 05:52 AM CST #

it would be great if Sun would ever step up to a conversation with RedMonk about the compliance oriented architecture. i won't hold my breath.

Posted by james governor on March 09, 2006 at 02:10 AM CST #

Post a Comment:
Comments are closed for this entry.



« July 2016